| Summary: | <dev-python/django-2.1.2: Password hash disclosure to "view only" admin users | ||
|---|---|---|---|
| Product: | Gentoo Security | Reporter: | Agostino Sarubbo <ago> |
| Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
| Status: | RESOLVED FIXED | ||
| Severity: | minor | CC: | python, vdupras |
| Priority: | Normal | Flags: | stable-bot:
sanity-check+
|
| Version: | unspecified | ||
| Hardware: | All | ||
| OS: | Linux | ||
| URL: | https://www.djangoproject.com/weblog/2018/oct/01/security-release/ | ||
| Whiteboard: | B3 [noglsa cve] | ||
| Package list: |
dev-python/django-2.1.2
|
Runtime testing required: | --- |
Yes it is. Arches, please stabilize dev-python/django-2.1.2. Thanks. amd64 stable x86 stable The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=217a3daeb7e95e0830b744228d4bd6910ead5ec1 commit 217a3daeb7e95e0830b744228d4bd6910ead5ec1 Author: Virgil Dupras <vdupras@gentoo.org> AuthorDate: 2018-10-05 11:44:01 +0000 Commit: Virgil Dupras <vdupras@gentoo.org> CommitDate: 2018-10-05 11:44:01 +0000 dev-python/django: remove old and vulnerable Bug: https://bugs.gentoo.org/667456 Signed-off-by: Virgil Dupras <vdupras@gentoo.org> Package-Manager: Portage-2.3.50, Repoman-2.3.11 dev-python/django/Manifest | 1 - dev-python/django/django-2.1.1.ebuild | 87 ----------------------------------- 2 files changed, 88 deletions(-) Stabilization and cleanup done (In reply to Virgil Dupras from comment #5) > Stabilization and cleanup done Virgil, I still see 2.0.9, was it unaffected? Aaron, no, the 2.0.x and 1.11.x were not affected. Those two branches are still supported, so they would have been part of the advisory had they been affected. (In reply to Virgil Dupras from comment #7) > Aaron, no, the 2.0.x and 1.11.x were not affected. Those two branches are > still supported, so they would have been part of the advisory had they been > affected. Thank you! |
From ${URL} : CVE-2018-16984: Password hash disclosure to "view only" admin users If an admin user has the change permission to the user model, only part of the password hash is displayed in the change form. Admin users with the view (but not change) permission to the user model were displayed the entire hash. While it's typically infeasible to reverse a strong password hash, if your site uses weaker password hashing algorithms such as MD5 or SHA1, it could be a problem. Thanks Phithon Gong for reporting this issue. @maintainer(s): since the fixed package is already in the tree, please let us know if it is ready for the stabilization or not.